Auth0 Home Blog Docs

Getting "This token is not intended for us" when decoding ID Token



I do a login with Lock and request a id_token with CURL. It’s all ok until I want to decode the id_token with verifyAndDecode.
I get an error “This token is not intended for us” that I verified is a aud that not match with my clientID, but in JWTVerifier config I have setting it right.
For security I have a verify in of the id_token returned from login and with my client secret I get “Signature Verified”, so I can’t understand because of this error.

$verifier = new JWTVerifier(
                'valid_audiences' => 'MY_CLIENTID',
                'client_secret' => base64_encode('MY_CLIENT_SECRET'),
            $decoded = $verifier->verifyAndDecode($response'id_token']);


Based on the documentation for JWTVerifier available in the GH repository the valid_audiences option seems to expect an array, more specifically, it seems your code should be 'MY_CLIENTID'] instead of just 'MY_CLIENTID'.

I’m not very knowledgeable in PHP, but it’s the one thing that pops up when comparing your code to the sample code.